Update 132 breaks DNS blocking

General questions.
dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Update 132 breaks DNS blocking

Post by dnl » June 8th, 2019, 2:03 am

The wiki has instructions for forcing all clients to use IPFire for DNS, rather than resolving directly to the internet. This is a good security practice.

Since upgrading to core update 132 I have found that the firewall rules to block external DNS traffic are now preventing clients from resolving DNS through IPFire. IPFire itself is able to resolve URLs itself (tried from an SSH session). It doesn't appear to be a problem with unbound, disabling the "block" firewall rules fixes the issue. Any idea what's changed?

How can we get the same functionality, where IPFire is the only DNS service able to get out to the internet?

Thank you in advance!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 8th, 2019, 2:08 am

Does anyone have an updated diagram for iptables? I remember seeing one which showed the various chains and how they interact.
I confess I find them difficult to follow in a shell.

It seems that Update 132 has changed how the rules are arranged. A rule which previously blocked SSH outbound (amongst other ports) now blocks SSH (on TCP/22) to IPFire itself. Before 132 that rule only prevented TCP/22 to the internet.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 8th, 2019, 6:32 am

If I follow the original wiki instructions but add additional "Incoming" firewall rules to allow access to DNS to the firewall's interfaces it appears to have the correct functionality. For example:
  • Source: Standard networks "GREEN"
  • Destination: Firewall "GREEN"
  • Protocol: - Preset, Service Groups "DNS"
Is this the best way to achieve blocking all DNS traffic, except through IPFire's resolver?

Thanks in advance!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 8th, 2019, 7:11 am

Well I hope it is as I've just updated the wiki page!

If I can get someone else to confirm the problem and that the fix is the best solution I will remove the warning I previously put the top of the wiki page.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

rocket
Posts: 1
Joined: June 8th, 2019, 5:09 pm

Re: Update 132 breaks DNS blocking

Post by rocket » June 8th, 2019, 5:13 pm

I was affected by this side effect too.
DNS resolving was blocked completely.

Solution is indeed to add an "accept firewall rule" from internal network (GREEN and BLUE) to firewall (GREEN and BLUE) for DNS service group !

User avatar
moisesbites
Posts: 33
Joined: March 23rd, 2015, 1:57 am

Re: Update 132 breaks DNS blocking

Post by moisesbites » June 8th, 2019, 11:35 pm

rocket wrote:
June 8th, 2019, 5:13 pm
I was affected by this side effect too.
DNS resolving was blocked completely.
For me too.
rocket wrote:
June 8th, 2019, 5:13 pm
Solution is indeed to add an "accept firewall rule" from internal network (GREEN and BLUE) to firewall (GREEN and BLUE) for DNS service group !
This solution solved for me:

https://wiki.ipfire.org/configuration/firewall/dns
2. Create “permit” incoming firewall rules for IPFire's DNS server

Source: Standard networks ( GREEN or BLUE )
Destination: Firewall ( GREEN or BLUE )
Protocol: “- Preset” Service Group: DNS
Action: ACCEPT
Moisés Bites

Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 9th, 2019, 4:54 am

moisesbites wrote:
June 8th, 2019, 11:35 pm
This solution solved for me:

https://wiki.ipfire.org/configuration/firewall/dns
2. Create “permit” incoming firewall rules for IPFire's DNS server

Source: Standard networks ( GREEN or BLUE )
Destination: Firewall ( GREEN or BLUE )
Protocol: “- Preset” Service Group: DNS
Action: ACCEPT
Thanks, but I actually wrote that in the wiki myself earlier yesterday and was hoping for confirmation that it was the best method.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

User avatar
FischerM
Community Developer
Community Developer
Posts: 1025
Joined: November 2nd, 2011, 12:28 pm

Re: Update 132 breaks DNS blocking

Post by FischerM » June 9th, 2019, 7:49 am

Hi,

Jm2C:

I'm using DoT and didn't run in these problems.

Furthermore I'd already added this code to /etc/sysconfig/firewall.local in 'start' section:

Code: Select all

# Add: Prevent DNS hijacking - BEGIN
iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to [ADD_GREEN_IP_ADDRESS_HERE]:53
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to [ADD_GREEN_IP_ADDRESS_HERE]:53
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to [ADD_BLUE_IP_ADDRESS_HERE]:53
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to [ADD_BLUE_IP_ADDRESS_HERE]:53
# Add: Prevent DNS hijacking - END
And this in 'stop' section:

Code: Select all

# Delete: Prevent DNS hijacking - BEGIN
iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to [ADD_GREEN_IP_ADDRESS_HERE]:53
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to [ADD_GREEN_IP_ADDRESS_HERE]:53
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to [ADD_BLUE_IP_ADDRESS_HERE]:53
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to [ADD_BLUE_IP_ADDRESS_HERE]:53
# Delete: Prevent DNS hijacking - END

Works.

HTH,
Matthias

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 9th, 2019, 10:12 am

Thanks Matthias.
The old instructions in the wiki didn't address "Private DNS" in any forms, so port 853 for DoT wasn't blocked. I fixed that when I updated them yesterday.
I've also specifically blocked TCP/443 for 8.8.8.8 and 8.8.4.4 to block DoH for Google public DNS. (This step hasn't made it to the Wiki instructions yet)

If I remember correctly Arne previously provided instructions to modify /etc/sysconfig/firewall.local but later advised against using it. He advised it's best to do I wrote up on the wiki page (the 2nd section). It was a few years ago, but I'll try to find the thread.
Last edited by dnl on June 9th, 2019, 11:38 am, edited 1 time in total.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: Update 132 breaks DNS blocking

Post by dnl » June 9th, 2019, 10:21 am

As an aside, I'm currently using DoT with Cloudflare (1.1.1.1) on my mobile device outside of my home network, but using plaintext DNS inside as I use a Pi-hole for Ad Blocking. The Pi-hole software is excellent for seamlessly improving privacy and it's very easy to use.

I'll have to investigate if they support DoT from their resolver.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

legethi
Posts: 14
Joined: September 7th, 2011, 5:58 pm

Re: Update 132 breaks DNS blocking

Post by legethi » June 13th, 2019, 6:20 pm

Since this update, I have a lot of issue. I follow new rules creation explain here https://wiki.ipfire.org/configuration/firewall/dns but still issue what ever scenario. For example, from packfire, I can't install any new addon, ipfire can't resolve. connection to netflix from my TV not working any more. Another issue I can't connect to my isp box. My network setting start by my ISP box, On 1 port of it I have connected my IPFIRE red interface. the rest of my home network is connected on the green interface. I have a 2016 server having DNS DHCP and AD role. The ISP box is set as router with a DMZ forward to my red interface. In DNS foward of ipfire I have set my w2016 dns Server. My red interface is set to use DHCP so IP come from my ISP box. If I set manually with exact same setting this interface, nothing work, no access to internet.
SSH access on ipfire is not any more possible as well what ever if port 22 or 222 are used and set.
Last point on the Home ipfire page, I have a warning related to dnssec indicating that it's disable. If I set some public dns server compatible with dnssec provide on your wiki, the same DNSSEC still disable.
So until fix provided or correct guideline on how to set ipfire (DNS server, dns fowarding, and firewall rules) I will back to core 131.
Another point but not sure if the issue is related to DNS issue in 132, is that is not working any more, but this happen since last TOR version on 131 and issue still present on 132. I have tried to change group and owner from nobody to tor as indicated in another post.
Thanks for any advice.

thebobbuck
Posts: 2
Joined: September 3rd, 2019, 11:31 pm

Re: Update 132 breaks DNS blocking

Post by thebobbuck » September 3rd, 2019, 11:45 pm

I am trying to use the following version of IPFire:

Code: Select all

IPFire version:	IPFire 2.23 (x86_64) - core134
Pakfire version:	2.23-x86_64
I am not able to successfully use the instructions here to prevent external DNS access:

https://wiki.ipfire.org/configuration/firewall/dns

When I disable/remove the Proxy settings on my Mac's network settings, then content blocking for virtually every web site out does not work, because clients can route directly through the firewall to external (Google or otherwise) DNS servers. Allowing internal users (children) unlimited access to illicit content, and I also want to block access to any form of social media (Facebook, Instagram, Yahoo, etc).

Is there a clear set of instructions that work with the version of the firewall above?

JonM
Posts: 144
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Update 132 breaks DNS blocking

Post by JonM » September 4th, 2019, 2:12 am

The instructions worked for me a few months ago.

Did you use?
2. Block all DNS traffic except through IPFire's DNS proxy
(this is the only one that currently works)
-or-
1. Redirect all DNS traffic to IPFire's DNS proxy
(this does not work, yet)

And the Additional Configuration must be done also. I did the first one I did 2. Block all DNS traffic and went to https://ipfire:444/cgi-bin/dhcp.cgi and made sure my IPFire box was the Primary DNS.

Screen Shot 2019-09-03 at 9.05.39 PM.png

Sorry I cannot answer about the social media (Facebook, Instagram, Yahoo, etc)... just don't know.
Last edited by JonM on September 12th, 2019, 12:46 pm, edited 1 time in total.
Production:
Image

Testing Raspi 3B+:
Image

thebobbuck
Posts: 2
Joined: September 3rd, 2019, 11:31 pm

Re: Update 132 breaks DNS blocking

Post by thebobbuck » September 12th, 2019, 11:53 am

JonM - I used "2. Block all DNS traffic except through IPFire's DNS proxy".

Just to state back to you what you said, to make sure we understand correctly. When you listed the two options, you listed #2 first, and #1 second, then you said you used the first method. So you used Option #2 as referred to in the documentation, which was listed first by you?

With Option #2 as referred to in the doc, the firewall rules doc seemed incomplete, or rather, subject to some interpretation which could lead to mistakes. Here is my net result:
FwRules.png
And the DHCP settings I configured:
Dhcp.png
I'm not sure if this helps in diagnosing why none of this works for me.

JonM
Posts: 144
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Update 132 breaks DNS blocking

Post by JonM » September 12th, 2019, 12:43 pm

Wow! That a is confusing! I used "2. Block all DNS traffic except through IPFire's DNS proxy". Sorry about the confusion!

You ended up with two more rules than I did.

Screen Shot 2019-09-12 at 7.41.55 AM.png


EDIT: I just read through the wiki article again and the instructions have changed since I did my rule creation. I don't use "DNS over TLS". And my current rule does not include anything related to "DNS over TLS". In the next few days I'll follow the current instructions and report back.

FYI - the instructions I followed are closer to this older version: https://wiki.ipfire.org/configuration/f ... 9T09:06:31
Production:
Image

Testing Raspi 3B+:
Image

Post Reply